top | item 6548663

(no title)

nxn | 12 years ago

I'm sort of confused, because TLS 1.1/1.2 support across browsers looks to be quite poor at the moment. Especially when given a large number of IE visitors that will likely upgrade to IE11 (first version that will have TLS 1.1/1.2 enabled by default) sometime around the year 2016.

With that said, I was under the impression that sites will need to support TLS 1.0 for a good long while, and if that is indeed the case, would they not be better off using RC4? From my understanding, the RC4 attacks seemed less practical than attacks against the implementation of CBC mode in SSL 3.0 / TLS 1.0?

discuss

tptacek|12 years ago

It's not that simple.

Yes, the installed base is going to keep TLS 1.0 and the legacy SSL block cipher construction in deployment for a long time.

Yes, smart people (among them AGL) have said that the RC4 attack is less practical than the M-t-E timing attack on the SSL CBC ciphers. (By the way, it would be great if we could start putting the blame on M-t-E instead of CBC; the vulnerability isn't in CBC per se. CBC is fine; M-t-E is proven not to be.)

But:

* The timing attack also has remediations (see AGL's famous NSS patch) which don't change the protocol.

* The timing attack is fundamentally unlikely to get more powerful; it's exploiting a very simple, well-understood problem.

* Work on exploiting the RC4 attack is in its infancy, and there are multiple ways the attack could get both fundamentally more powerful and more efficiently implemented.

* There are no software-only fixes to the RC4 problem that don't break the protocol; RC4 is fundamentally and irrevocably broken.

makomk|12 years ago

Interestingly, Google Chrome for Android is one of the few browsers I've seen that supports TLS 1.2 with AES-GCM